If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Cisco PIX point to point T1 configuration

Hey, what's up? First I'd like to introduce myself. My name is Chris and yes I'm a noob. I was hoping someone here could help me out. We are currently trying to configure our PIX in Texas to our PIX in NY through a point to point T1 line. I personally don't have ANY experience with Cisco but the guys at work do. It seems that they cannot get it to communicate. I know this is not much detail but any help would be appreciated. I tried finding information on Cisco's site but was unsuccessful. If anyone here has done this before, I would love to hear how you set it up. Thanks alot!!! I appreciate the help in advance!!

I'm sure more information will be needed so just tell me what you need to know and I'll get on top of it.

Point to Point T1's are a pretty simple thing. Could you post a sample config? In my experience 90% of the time when a P to P T1 doesn't come up right away, it's something with the telco. Check the line cards at the DMARC to see if there are any alarm lights. If both ends look good and you can give a little info about the circuit I'd be happy to step you through it.

I have configured several of these, I would need more information to help. Have you verified the T1 is up from end to end. What type of T1 do you have? Do you have connectivity between both ends without the PIXes? Are the T1's connected to a public network?

Work... Some days it's just not worth chewing through the restraints...

Ok.... To start with I will assume that the T1 is good. That, of course is a huge assumption on a new install of a T1. I have some 10-15 point to point T1's in my WAN and only about 4 have ever been properly installed and provisioned by SBC.....

The quick way to make a decision is to get into the router in privileged mode and type sh int ser X where X is the number of the serial interface. You should see a "SerialX is up. Line Protocol is up". This is good. If either is down then you need to start looking at the CSU/DSU or WICT1 card configuration. All my T1's are set in the following way:-

Frame: ESF
Encoding: B8ZS
Timing: Network
Timeslots: 6 or all depending on whether it is a fractional, (386kbps), or full T1.

Your Telco should be using ESF/B8ZS. If they aren't I would ask them to since it is the most efficient. The other options would be SF/AMI which are no longer the standard.

Once you are provisioned correctlyat both ends to match the Telco's settings you should see "SerialX up. Line Protocol up." when you do a sh int X.

If this is what you see then return to conf mode, (conf T) and issue the following commands on the first router

On the other router execute the same commands but give the serial interface the address 192.168.1.2 255.255.255.252. When that is done ping 192.168.1.X where X is the address of the remote router and you should see 5 successes indicated by "!"

If you cannot get "SerialX up. Line Protocol up" then check your cables and config to ensure that you are properly set up. Then call the Telco. Do _not_ let them tell you that the problem is with your equipment, (trust me... they will). One of their biggest mistakes is badly trained techs....... <sigh> A T1 usually has a minimum of 4 points where the tech can connect to to test the line, (the smartjacks, and 2 places in the central office. I suspect yours will have more). The biggest mistake they make is to enter at test point A and test towards the A end. They loop the CSU/DSU and tell you it is good. They unloop and point the other way and loop the CSU/DSU at the Z end and tell you it is good..... Then they tell you it is your problem and hang up the phone...... The Dumbass doesn't know that while he can connect to the test point and test successfully in both directions nothing, but nothing, will pass through the equipment he is testing from, 'cos it's broken. When he finishes testing the A end from the most distant test point he should disconnect from it and move to the furthest test point from Z and test Z from there.... but they don't...... You can pull your hair out for weeks if you are not careful with this one.

Good luck, and if the problem seems to be with the Telco keep us up to date..... I have a lot of experience arguing with them.......<s>

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

In reading the posts, I did not see where the user listed that he had any routers. I have user both the PIX 525 and 515 and both require a router since the PIX is unable to do any routing. I will assume that the physical description is something like this:

Originally posted here by thread_killer I'm still trying to figure out why you need a pix at both ends of a point to point connection.

This, of course, is possibly why they are not able to make it work. The assumption has been that the WAN is configured in the way Infiltrator described. OTOH, if they are trying to use the PIX's as routers they are probably going to get a bit of a shock.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Indeed, if this is a point to point T-1, I am not sure why there is a PIX on both sides. FOr the truely paranoid, I can see some use of a PIX on one of the end points. We are going on very limited info about thier network infrastructure so what we think is really just vapor. I suspect that there may not be any routers in place and they tried to connect to PIX firewalls directly to the T-1. This will not work since the PIX cannot act as a router. We can help this user more if he can answer the questions we have posed so far.

Inf: Methinks that the original author probably RTFM after he posted and is in the process of ordering a pair of routers, (and maybe returning the PIX's), and is not speaking to us any more for fear of embarrasment. After all, it's 18 hours since he posted and he is subscribed.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

That may be the case. It was his first post. He may be really new to this and he may feel that he will get flamed if he continues to post. I personaly won't flame him since he asked a good question. He did not give us enough info to really help but I think you are right. No routers....